RFI Hawk

Trust Center

Operated by Salian Defense Inc.
Last Updated: April 2026

RFI Hawk is built by a defense-industry team for defense and federal contractors. Security and privacy are first-class concerns for our customers and for us. This page summarizes the commitments we make to every account. We do not publish low-level implementation details, software bills of materials, or specific vendor relationships in public. Detailed documentation is shared with prospects and customers under NDA on request.

Data Protection

• Encryption in transit. All connections between your browser and our application are protected by modern TLS, with HTTP Strict Transport Security (HSTS) enforced in production.
• Encryption at rest. Sensitive fields (for example, two-factor authentication secrets and CUI scoping data) are encrypted with AES-256-GCM authenticated encryption, using a randomly generated nonce per value and a versioned ciphertext format, before being written to disk.
• No payment card data on our servers. All payment processing is performed by a PCI DSS Level 1 certified processor (Stripe); card numbers never reach our infrastructure.
• Defense-in-depth web protections across the application, including CSRF protection on all state-changing requests, content security policy and related security headers, rate limiting on authentication endpoints, and request validation.
• Secrets are kept out of source code. Credentials and API keys are managed through environment-based secret stores and can be rotated via tooling, including key rotation for the field-encryption key.

Authentication and Access Control

• Strong password handling. Passwords are stored as one-way salted hashes; we cannot read or recover them.
• Two-factor authentication with standards-based authenticator apps is supported on every account.
• Single sign-on with Google, Microsoft, GitHub, and Apple.
• Role-based access control across customer-facing and administrative features.
• Session protection including session expiration, IP-aware re-authentication on sensitive actions, and per-tier session limits.

Application Integrity

• Hardened error handling. Error pages do not leak stack traces, server software, or internal paths.
• Input handling uses parameterized queries throughout (SQLAlchemy ORM); no user input is interpolated into database statements.
• Object-level access control (IDOR protection). Every request for a user-owned resource is checked against the requester's ownership before it is returned, so one account cannot read or modify another account's data by guessing identifiers.
• Security event logging. Authentication events, administrative actions, and access-control violations are recorded with severity, category, source IP, and user agent, and are reviewable by our team.
• Dependency hygiene. Dependencies are version-pinned and monitored for known vulnerabilities (GitHub Dependabot alerts).

Data Use and Retention

• Your data is yours. We do not sell, rent, or share customer data with third parties for advertising or model training.
• AI providers do not train on your content. Our AI processing partners operate under contracts that prohibit using customer inputs or outputs for training and require deletion after the request lifecycle.
• Configurable retention. Account owners can configure retention windows for uploaded documents, proposal drafts, and historical scoring data in Settings.
• Account deletion. On request, we delete all customer data within 30 days, subject to legal and tax retention requirements.

NIST 800-53 Control Alignment

We map our controls against the NIST SP 800-53 Rev. 5 Moderate baseline. The following control families have controls implemented today with supporting evidence. This is a summary of what is genuinely in place, not a claim of authorization:

• Access Control (AC). Authentication required on all non-public routes, role- and tier-based feature gating, object-level ownership checks (IDOR protection), and rate-limited login with failed-attempt logging.
• Audit and Accountability (AU). Security event logging capturing severity, category, source IP, and user agent for authentication, administrative, and access-violation events, with admin review.
• Identification and Authentication (IA). Salted one-way password hashing, optional TOTP two-factor authentication with secrets encrypted at rest, and single sign-on via established identity providers.
• System and Communications Protection (SC). TLS in transit with HSTS, AES-256-GCM field-level encryption at rest, and content security policy plus framing and content-type protection headers.
• System and Information Integrity (SI). Parameterized queries, hardened error pages with no stack-trace disclosure, configurable data-retention enforcement, and pinned, vulnerability-monitored dependencies.

Additional families (for example, Configuration Management, Contingency Planning, and Incident Response) are partially implemented or documented as planned. A full control-by-control status register is maintained internally and shared with qualified prospects and customers under NDA.

Certifications and Roadmap

• What we do not claim. RFI Hawk does not currently hold a FedRAMP authorization, a SOC 2 attestation, or an ISO 27001 certification, and we do not claim any certification we have not earned.
• FedRAMP and GovCloud are a documented post-GA roadmap item. Pursuing a FedRAMP authorization on a U.S. government cloud (AWS GovCloud or Azure Government), where the underlying cryptographic modules are FIPS 140-2 validated, is a planned milestone after general availability — not a status we hold today.
• Honest, evidence-based posture. Our control mappings, gaps, plan of action and milestones (POA&M), and assessment artifacts are documented internally and made available to qualified prospects and customers under NDA on request.